Toggle navigation
MeasureThat.net
Create a benchmark
Tools
Feedback
FAQ
Register
Log In
Dompurify vs sanitize-html (latest)
(version: 0)
Comparing performance of:
DOMPurify vs Sanitize HTML
Created:
one year ago
by:
Guest
Jump to the latest result
HTML Preparation code:
<script src="https://cdn.jsdelivr.net/npm/sanitize-html/dist/sanitize-html.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/dompurify/dist/purify.min.js"></script>
Tests:
DOMPurify
const testString = ` <b>Welcome to safeland</b><br> <a href='javascript:alert(1)'>This is fun</a><br> <img src=x onerror=console.log(1)> `; const result = DOMPurify.sanitize(testString);
Sanitize HTML
const testString = ` <b>Welcome to safeland</b><br> <a href='javascript:alert(1)'>This is fun</a><br> <img src=x onerror=console.log(1)> `; const result = sanitizeHtml(testString);
Rendered benchmark preparation results:
Suite status:
<idle, ready to run>
Run tests (2)
Previous results
Fork
Test case name
Result
DOMPurify
Sanitize HTML
Fastest:
N/A
Slowest:
N/A
Latest run results:
Run details:
(Test run date:
6 days ago
)
User agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0
Browser/OS:
Chrome 146 on Windows
View result in a separate tab
Embed
Embed Benchmark Result
<iframe src="https://measurethat.net/Embed?id=628270" width="100%" height="500px"></iframe>
Test name
Executions per second
DOMPurify
17903.7 Ops/sec
Sanitize HTML
79596.4 Ops/sec
Autogenerated LLM Summary
(model
llama3.2:3b
, generated one year ago):
Let's break down the provided JSON data and explain what's being tested, compared, and considered. **Overview** The benchmark measures the performance of two HTML sanitization libraries: `sanitize-html` (Sanitize HTML) and `DOMPurify`. The test cases are designed to evaluate the speed and efficiency of these libraries in cleaning up malicious input strings. **Options Compared** Two options are being compared: 1. **Sanitize HTML**: This library uses a regex-based approach to remove unwanted characters, tags, and attributes from HTML input. 2. **DOMPurify**: This library uses a more advanced algorithm that analyzes the input string's structure and removes malicious elements, such as script tags, links with JavaScript code, and inline event handlers. **Pros and Cons of Each Approach** * **Sanitize HTML** + Pros: - Simple and efficient implementation - Effective against simple attacks (e.g., removing script tags) + Cons: - May not catch more complex attacks (e.g., JavaScript code embedded in attributes) - Can be slow for large input strings due to regex overhead * **DOMPurify** + Pros: - More comprehensive and effective against complex attacks - Optimized for performance, reducing execution time + Cons: - More complex implementation, potentially slower than Sanitize HTML - May require more memory to process input strings **Library Descriptions** 1. **sanitize-html**: A lightweight JavaScript library developed by Michael D. Catanzaro. Its purpose is to sanitize user-inputted HTML to prevent cross-site scripting (XSS) attacks. 2. **DOMPurify**: Developed by Ted Goode, DOMPurify is a popular JavaScript library designed to clean up malicious input strings, removing unwanted tags, attributes, and content. **Special JavaScript Features or Syntax** The test cases use some special JavaScript features: 1. **Template literals**: The `testString` variables are created using template literals, which allow for string interpolation with JavaScript expressions. 2. **JavaScript code embedded in HTML**: Some of the input strings contain JavaScript code embedded in attributes (e.g., `<img src=x onerror=console.log(1)>`). This demonstrates a common XSS vulnerability. **Other Alternatives** If you're interested in exploring other options, consider the following: * **js-sanitize**: Another lightweight JavaScript library for HTML sanitization. * **html-purer**: A more comprehensive library that also removes comments and styles from input strings. * **XSS filter**: Some web frameworks and libraries, like Node.js's built-in XSS filter, provide built-in protection against XSS attacks. Keep in mind that this benchmark is focused on the performance of specific libraries, but there are other considerations when evaluating HTML sanitization solutions, such as security, feature set, and ease of use.
Related benchmarks:
Dompurify vs sanitize-html
Dompurify 2.3.3 vs sanitize-html 1.27.5 vs Js-XSS Latest (Test #1)
Dompurify 2.3.3 vs sanitize-html
Dompurify vs sanitize-html latest
Comments
Confirm delete:
Do you really want to delete benchmark?